Weird certbot behavior on Ubuntu 20.04

Help
1

Hello there!

I wanted my own website for private reasons and want ofc secured traffic. This is only possible with the help of Let's Encrypt.

The Problem:
I can't autorenew my certificate by a simple command. I have to struggle around to make a new one but it never happens automatically which ofc is pain every month.

What is happening here? Every tutorial about certbot didn't worked. And no, snapd doesn't work on my machine, I don't want it! I had .key and .crt files as my certificate but since it's renewal I have a .pem file, which atleast works but certbot doesn't like this new configuration.

My domain is: fsi-it.de

I ran this command: certbot renew --dry-run

It produced this output:

Error Log

Processing /etc/letsencrypt/renewal/fsi-it.de-0001.conf

Renewal configuration file /etc/letsencrypt/renewal/fsi-it.de-0001.conf is broken.
The error was: expected /etc/letsencrypt/live/fsi-it.de-0001/cert.pem to be a symlink
Skipping.

Processing /etc/letsencrypt/renewal/fsi-it.de.conf

Simulating renewal of an existing certificate for fsi-it.de and 2 more domains

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: cloud.fsi-it.de
Type: unauthorized
Detail: Invalid response from http://cloud.fsi-it.de/.well-known/acme-challenge/0j-48ZT3oZihq8w6vUII2NSNwE1TvvHu_10zeWlwYYQ [87.106.194.87]: "\n\n400 Bad Request\n\n

Bad Request</h1"

Domain: fsi-it.de
Type: unauthorized
Detail: Invalid response from http://fsi-it.de/.well-known/acme-challenge/pHT539zz9RayhOU3Zvo8x1pLbQKzjvrwA-FHkM1hvho [87.106.194.87]: "\n\n400 Bad Request\n\n

Bad Request</h1"

Domain: www.fsi-it.de
Type: unauthorized
Detail: Invalid response from http://www.fsi-it.de/.well-known/acme-challenge/Ub_ayhWg1vHVhZ08ffJXnZVceHTvVvbauhOWSmqDyJ4 [87.106.194.87]: "\n\n400 Bad Request\n\n

Bad Request</h1"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate fsi-it.de with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/fsi-it.de/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/fsi-it.de-0001.conf (parsefail)

1 renew failure(s), 1 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is: Apache2

The operating system my web server runs on is: Ubuntu 20.04.2 LTS

My hosting provider is: 1&1

I can only login with putty on my machine.

The version of my client is: certbot 1.16.0

Thanks in advance

1 Like
2

If you visit http://fsi-it.de/, you'll see that your webserver produces this "400 Bad Request" error even on its homepage:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

When I've seen this before, it's been because either:

  • Apache is configured with SSLEngine on/SSLCertificateFile/etc on a port 80 VirtualHost, which screws up all the port 80 virtualhosts
  • Some variant of <VirtualHost *:80 *:443>, which, similar to the first problem, screws up port 80.

What might help to narrow this down is to provide the output of:

sudo apachectl -t -D DUMP_VHOSTS
2 Likes
3

For me it visits fine. Straingh...

This is my configuration. I can't see any errors.
87.106.194.87:443 is a NameVirtualHost
default server 8.8.8.8 (/etc/apache2/sites-enabled/000-default-le-ssl.conf:3)
port 443 namevhost 8.8.8.8 (/etc/apache2/sites-enabled/000-default-le-ssl.conf:3)
alias www.fsi-it.de
port 443 namevhost cloud.fsi-it.de (/etc/apache2/sites-enabled/nextcloud-le-ssl.conf:3)
alias cloud.fsi-it.de
port 443 namevhost fsi-it.de (/etc/apache2/sites-enabled/wordpress.conf:1)
*:80 www.fsi-it.de (/etc/apache2/sites-enabled/http.conf:1)

I have only a *:80 to redirect permanent. This should not be a problem

1 Like
4

Could you please show the full contents of this file?

I would guess that there is something in that http.conf vhost that is causing SSL to be enabled on that port.

Sometimes port forwarding/iptables redirects can also be involved, but since you are hosting on a "proper" server, I think it's unlikely to be the problem in this case.

1 Like
5

Here it is. This is the whole file:

<VirtualHost *:80>
 Redirect permanent / https://fsi-it.de
</VirtualHost>

On all other sites there is nothing with 80.
I checked netstat, apache is the only application listening on this port.
Shoud I add this lines to another site?

1 Like
6

Nope, that should work fine.

Does that HTTP 400 Bad Request show up if you run this command in putty, so the server makes the request locally?

curl -X GET -I fsi-it.de

For reference, here is what I get:

HTTP/1.1 400 Bad Request
Date: Tue, 29 Jun 2021 08:42:59 GMT
Server: Apache
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1
1 Like
7

Yes. Same comes when I do it with localhost.

1 Like
8

Weird. I replicated your vhost setup locally and can't get that HTTP 400 to come up. I'm not sure what's causing it.

Does it also show up with:

curl -X GET -I 127.0.0.1
1 Like
9

As I said, with localhost the same happens.
It looks like Apache completly disabled Port 80. But it is listening on it. Which file could affect this?

1 Like
10

I can think of one specific thing that would cause this.

If you configured SSLCertificate or SSLEngine or whatever outside of a VirtualHost tag, it will be inherited by every vhost, including your port 80 one, causing HTTPS to be enabled.

In turn, that would produce the HTTP 400 we see.

That's not visible from apachectl, so you'll have to check that for yourself.

3 Likes
11

Fixed it by adding SSLEngine off to the http.conf file. Looks like, it got overwriten with the module.
The .pem certificate got renewed.
Now I get only:

Error Log

Processing /etc/letsencrypt/renewal/fsi-it.de-0001.conf

Renewal configuration file /etc/letsencrypt/renewal/fsi-it.de-0001.conf is broken.
The error was: expected /etc/letsencrypt/live/fsi-it.de-0001/cert.pem to be a symlink
Skipping.

Processing /etc/letsencrypt/renewal/fsi-it.de.conf

Simulating renewal of an existing certificate for fsi-it.de and 2 more domains

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/fsi-it.de/fullchain.pem (success)

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/fsi-it.de-0001.conf (parsefail)

0 renew failure(s), 1 parse failure(s)

Thank you for your help!

2 Likes
12

Welcome to the Let's Encrypt Community, Taylor :slightly_smiling_face:

A couple of observations:

  • Without ServerName/ServerAlias directives, this VirtualHost will likely behave in unexpected and undesirable ways (or do nothing at all)
  • There should be a "/" at the end of "https://fsi-it.de"

How to use Redirect in Apache:
https://cwiki.apache.org/confluence/plugins/servlet/mobile?contentId=115522444#content/view/115522444

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.